problems with java

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

problems with java

Postby marcin_1 » Tue Dec 17, 2002 12:23 pm

Hi,
I have grsec-rc1 for 2.4.20 kernel. When i use Mozilla 1.2.1 and i open page that includes java applet i got this problem: sometimes java applets works fine but sometimes Mozillla crashes and in /var/log/messages i have this:
kernel: grsec: signal 11 sent to (java_vm:17519) UID (501) EUID(501), parent (java_vm:21523) UID (501) EUID(501)
kernel: grsec: signal 11 sent to (java_vm:27757) UID (501) EUID(501), parent (mozilla-bin:10123) UID (501) EUID(501)
last message repeated 2 times

What's wrong with applets? Interesting is that i don't have problemms with compiling and running my own java programms (not applets).
I have Sun java v1.4.1

Without grsecurity everthing works fine. When i was using 2.4.19 kernel with grsecurity, applets were (sometimes) crashing too.

Any suggestion?
marcin_1
 
Posts: 8
Joined: Tue Dec 17, 2002 12:10 pm

Postby spender » Tue Dec 17, 2002 2:42 pm

download chpax.c from http://pageexec.virtualave.net/chpax.c

compile it, then find the location of java_vm, and chpax -sp java_vm

The reason it's crashing is because it's trying to execute code in a non-executable region, which PaX won't allow.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

:(

Postby marcin_1 » Thu Dec 19, 2002 11:28 am

:(
It didn't help...
Mozilla still sometimes 'crash' when java applets are loaded...
And it puts into /var/log/messages the same informations as above.
marcin_1
 
Posts: 8
Joined: Tue Dec 17, 2002 12:10 pm

Re: :(

Postby PaX Team » Thu Dec 19, 2002 1:38 pm

marcin_1 wrote:Mozilla still sometimes 'crash' when java applets are loaded...
And it puts into /var/log/messages the same informations as above.
can you post or email us the result of 'grep PAX /var/log/messages' please?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

hmmmm

Postby marcin_1 » Fri Dec 20, 2002 8:54 am

It shows nothing...
marcin_1
 
Posts: 8
Joined: Tue Dec 17, 2002 12:10 pm

Re: hmmmm

Postby PaX Team » Fri Dec 20, 2002 3:46 pm

marcin_1 wrote:It shows nothing...
unless you're logging KERN_ERR level messages elsewhere, all i can say is that your problem is at least not caused by the non-executable page feature. the next thing you should try is to disable randomization (chpax -r) on the java VM and see if that helps (also could you post the chpax -v output please?).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

hmmmm

Postby marcin_1 » Tue Dec 24, 2002 9:34 am

i've checked /var/log/kernel/error.log - and there are only lines with kernel: grsec: signal 11 sent to.... (as quoted above).
Strange thing is that when i've tried running mozilla as root everything looked fine. No crashing when loading java applets.

I've tried chpax on java_vm in many ways, but none of them helped.
Any ideas?
marcin_1
 
Posts: 8
Joined: Tue Dec 17, 2002 12:10 pm

Re: hmmmm

Postby PaX Team » Tue Dec 24, 2002 11:36 am

marcin_1 wrote:i've checked /var/log/kernel/error.log - and there are only lines with kernel: grsec: signal 11 sent to.... (as quoted above).
Strange thing is that when i've tried running mozilla as root everything looked fine. No crashing when loading java applets.
well, i'm pretty sure that PaX itself has no uid sensitive code in it, so your problems must come from somewhere else. you can either debug the crashes or try to disable various grsec kernel options one by one and see at which point the problems disappear.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby hardigunawan » Wed Feb 19, 2003 11:04 pm

I've the same problem. After some experimenting with chpax, I got it working :D

My setting is:

----[ chpax 0.2 : Current flags for /usr/j2re1.4.1/bin/java_vm ]----

* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : restricted
* mmap() base : not randomized
* ET_EXEC base : randomized
* Segmentation based PAGE_EXEC : enabled
hardigunawan
 
Posts: 10
Joined: Tue Jan 14, 2003 5:10 am

Postby PaX Team » Thu Feb 20, 2003 5:19 am

hardigunawan wrote: * mmap() base : not randomized
* ET_EXEC base : randomized
well, having RANDEXEC enabled without RANDMMAP does not do much except slow down the given app, so you may as well disable it as well ;-). btw, what features did you enable in your kernel config?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby fonya » Thu Feb 20, 2003 7:20 am

kernel: grsec: signal 11 sent to (java_vm:17519) UID (501) EUID(501), parent (java_vm:21523) UID (501) EUID(501)
kernel: grsec: signal 11 sent to (java_vm:27757) UID (501) EUID(501), parent (mozilla-bin:10123) UID (501) EUID(501)
last message repeated 2 times


Take a probe: start your mozilla-bin (sitting in /usr/lib/mozilla*/mozilla-bin)
type a java url, if you get en error from java, like this:
GetGlobalServiceManager__16nsServiceManagerPP17nsIServiceManager
You must recompile mozilla with gcc 2.95, or similar.
If not, ignore this :)
/Java re, and sdk was compiling whit 'older' gcc, and don't like gcc 3.x/

An my chpax settings:

----[ chpax 0.2 : Current flags for /home/java/j2sdk1.4.0_03/bin/java_vm ]----

* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled

----[ chpax 0.2 : Current flags for /usr/lib/mozilla-1.2.1/mozilla-bin ]----

* Paging based PAGE_EXEC : enabled (overridden)
* Trampolines : not emulated
* mprotect() : restricted
* mmap() base : randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : enabled
fonya
 
Posts: 36
Joined: Thu Mar 28, 2002 11:22 am


Return to grsecurity support

cron